OpenVPN
tls_crypt.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2021 Sentyron B.V. <openvpn@sentyron.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include "argv.h"
30#include "base64.h"
31#include "crypto.h"
32#include "platform.h"
33#include "run_command.h"
34#include "session_id.h"
35#include "ssl.h"
36
37#include "tls_crypt.h"
38
39const char *tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key";
40const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key";
41
43static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00;
45static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01;
46
47static struct key_type
49{
50 return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
51}
52
53int
58
59void
60tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file,
61 bool key_inline, bool tls_server)
62{
63 const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
64 struct key_type kt = tls_crypt_kt();
65 if (!kt.cipher || !kt.digest)
66 {
67 msg(M_FATAL, "ERROR: --tls-crypt not supported");
68 }
69 crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
70 "Control Channel Encryption", "tls-crypt", keydata);
71}
72
76static void
77xor_key2(struct key2 *key, const struct key2 *other)
78{
79 ASSERT(key->n == 2 && other->n == 2);
80 for (int k = 0; k < 2; k++)
81 {
82 for (int j = 0; j < MAX_CIPHER_KEY_LENGTH; j++)
83 {
84 key->keys[k].cipher[j] = key->keys[k].cipher[j] ^ other->keys[k].cipher[j];
85 }
86
87 for (int j = 0; j < MAX_HMAC_KEY_LENGTH; j++)
88 {
89 key->keys[k].hmac[j] = key->keys[k].hmac[j] ^ other->keys[k].hmac[j];
90 }
91 }
92}
93
94bool
96{
97 struct key2 rengokeys;
99 strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL), rengokeys.keys,
100 sizeof(rengokeys.keys)))
101 {
102 return false;
103 }
104 rengokeys.n = 2;
105
106 session->tls_wrap_reneg.opt = session->tls_wrap.opt;
107 session->tls_wrap_reneg.mode = TLS_WRAP_CRYPT;
108 session->tls_wrap_reneg.cleanup_key_ctx = true;
109 session->tls_wrap_reneg.work = alloc_buf(BUF_SIZE(&session->opt->frame));
110 session->tls_wrap_reneg.opt.pid_persist = NULL;
111
112 packet_id_init(&session->tls_wrap_reneg.opt.packet_id, session->opt->replay_window,
113 session->opt->replay_time, "TLS_WRAP_RENEG", session->key_id);
114
115 if (session->tls_wrap.mode == TLS_WRAP_CRYPT || session->tls_wrap.mode == TLS_WRAP_AUTH)
116 {
117 xor_key2(&rengokeys, &session->tls_wrap.original_wrap_keydata);
118 }
119
120 const int key_direction = session->opt->server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
121
122 struct key_direction_state kds;
123 key_direction_state_init(&kds, key_direction);
124
125 struct key_type kt = tls_crypt_kt();
126
127 init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction, &kt,
128 "dynamic tls-crypt");
129 secure_memzero(&rengokeys, sizeof(rengokeys));
130
131 return true;
132}
133
134
135bool
136tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
137{
138 const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
139 struct gc_arena gc;
140
141 /* IV, packet-ID and implicit IV required for this mode. */
142 ASSERT(ctx->cipher);
143 ASSERT(ctx->hmac);
145 ASSERT(hmac_ctx_size(ctx->hmac) == 256 / 8);
146
147 gc_init(&gc);
148
149 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc));
150
151 /* Get packet ID */
152 if (!packet_id_write(&opt->packet_id.send, dst, true, false))
153 {
154 msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
155 goto err;
156 }
157
158 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", format_hex(BPTR(dst), BLEN(dst), 0, &gc));
159
160 /* Buffer overflow check */
162 {
164 "TLS-CRYPT WRAP: buffer size error, "
165 "sc=%d so=%d sl=%d dc=%d do=%d dl=%d",
166 src->capacity, src->offset, src->len, dst->capacity, dst->offset, dst->len);
167 goto err;
168 }
169
170 /* Calculate auth tag and synthetic IV */
171 {
172 uint8_t *tag = NULL;
173 hmac_ctx_reset(ctx->hmac);
174 hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
175 hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src));
176
178 hmac_ctx_final(ctx->hmac, tag);
179
180 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s",
181 format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc));
182
183 /* Use the 128 most significant bits of the tag as IV */
184 ASSERT(cipher_ctx_reset(ctx->cipher, tag));
185 }
186
187 /* Encrypt src */
188 {
189 int outlen = 0;
190 ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen, BPTR(src), BLEN(src)));
191 ASSERT(buf_inc_len(dst, outlen));
192 ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
193 ASSERT(buf_inc_len(dst, outlen));
194 }
195
196 dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s", format_hex(BPTR(dst), BLEN(dst), 80, &gc));
197
198 gc_free(&gc);
199 return true;
200
201err:
203 dst->len = 0;
204 gc_free(&gc);
205 return false;
206}
207
208#if defined(__GNUC__) || defined(__clang__)
209#pragma GCC diagnostic push
210#pragma GCC diagnostic ignored "-Wconversion"
211#endif
212
213bool
214tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
215{
216 static const char error_prefix[] = "tls-crypt unwrap error";
217 const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
218 struct gc_arena gc;
219
220 gc_init(&gc);
221
222 ASSERT(opt);
223 ASSERT(src->len > 0);
224 ASSERT(ctx->cipher);
226
227 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s", format_hex(BPTR(src), BLEN(src), 80, &gc));
228
229 if (buf_len(src) < TLS_CRYPT_OFF_CT)
230 {
231 CRYPT_ERROR("packet too short");
232 }
233
234 /* Decrypt cipher text */
235 {
236 int outlen = 0;
237
238 /* Buffer overflow check (should never fail) */
240 {
241 CRYPT_ERROR("potential buffer overflow");
242 }
243
245 {
246 CRYPT_ERROR("cipher reset failed");
247 }
248 if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen, BPTR(src) + TLS_CRYPT_OFF_CT,
249 BLEN(src) - TLS_CRYPT_OFF_CT))
250 {
251 CRYPT_ERROR("cipher update failed");
252 }
253 ASSERT(buf_inc_len(dst, outlen));
254 if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen))
255 {
256 CRYPT_ERROR("cipher final failed");
257 }
258 ASSERT(buf_inc_len(dst, outlen));
259 }
260
261 /* Check authentication */
262 {
263 const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG;
264 uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
265
266 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s",
267 format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc));
268 dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s",
269 format_hex(BPTR(dst), BLEN(dst), 80, &gc));
270
271 hmac_ctx_reset(ctx->hmac);
273 hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
274 hmac_ctx_final(ctx->hmac, tag_check);
275
276 if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
277 {
278 dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc));
279 dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc));
280 CRYPT_ERROR("packet authentication failed");
281 }
282 }
283
284 /* Check replay */
285 if (!(opt->flags & CO_IGNORE_PACKET_ID))
286 {
287 struct packet_id_net pin;
288 struct buffer tmp = *src;
290 ASSERT(packet_id_read(&pin, &tmp, true));
291 if (!crypto_check_replay(opt, &pin, 0, error_prefix, &gc))
292 {
293 CRYPT_ERROR("packet replay");
294 }
295 }
296
297 gc_free(&gc);
298 return true;
299
302 dst->len = 0;
303 gc_free(&gc);
304 return false;
305}
306
307static inline void
308tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
309{
310 const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
311 struct key_type kt = tls_crypt_kt();
312 if (!kt.cipher || !kt.digest)
313 {
314 msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
315 }
316 init_key_ctx_bi(key, key2, key_direction, &kt, "Control Channel Encryption");
317}
318
319void
320tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key,
321 struct buffer *wkc_buf, const char *key_file, bool key_inline)
322{
324
326 {
327 msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format");
328 }
329
330 struct key2 key2 = { .n = 2 };
331 if (!buf_read(&client_key, &key2.keys, sizeof(key2.keys)))
332 {
333 msg(M_FATAL, "ERROR: not enough data in tls-crypt-v2 client key");
334 }
335
337 *original_key = key2;
338
339 *wkc_buf = client_key;
340}
341
342void
343tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file,
344 bool key_inline)
345{
346 struct key srv_key;
347 struct buffer srv_key_buf;
348
349 buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key));
351 {
352 msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format");
353 }
354
355 struct key_type kt = tls_crypt_kt();
356 if (!kt.cipher || !kt.digest)
357 {
358 msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
359 }
360 struct key_parameters srv_key_params;
361
362 key_parameters_from_key(&srv_key_params, &srv_key);
363
364 init_key_ctx(key_ctx, &srv_key_params, &kt, encrypt, "tls-crypt-v2 server key");
365 secure_memzero(&srv_key, sizeof(srv_key));
366}
367
368static bool
369tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key,
370 const struct buffer *src_metadata, struct key_ctx *server_key,
371 struct gc_arena *gc)
372{
373 cipher_ctx_t *cipher_ctx = server_key->cipher;
374 struct buffer work =
376
377 /* Calculate auth tag and synthetic IV */
379 if (!tag)
380 {
381 msg(M_WARN, "ERROR: could not write tag");
382 return false;
383 }
384 uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata) + TLS_CRYPT_V2_TAG_SIZE
385 + sizeof(uint16_t));
388 hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
389 hmac_ctx_update(hmac_ctx, (void *)src_key->keys, sizeof(src_key->keys));
392
393 dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s", format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
394
395 /* Use the 128 most significant bits of the tag as IV */
397
398 /* Overflow check (OpenSSL requires an extra block in the dst buffer) */
399 if (buf_forward_capacity(&work) < (sizeof(src_key->keys) + BLEN(src_metadata) + sizeof(net_len)
401 {
402 msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
403 return false;
404 }
405
406 /* Encrypt */
407 int outlen = 0;
408 ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen, (void *)src_key->keys,
409 sizeof(src_key->keys)));
410 ASSERT(buf_inc_len(&work, outlen));
413 ASSERT(buf_inc_len(&work, outlen));
415 ASSERT(buf_inc_len(&work, outlen));
416 ASSERT(buf_write(&work, &net_len, sizeof(net_len)));
417
418 return buf_copy(wkc, &work);
419}
420
421#if defined(__GNUC__) || defined(__clang__)
422#pragma GCC diagnostic pop
423#endif
424
425static bool
426tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
428{
429 const char *error_prefix = __func__;
430 bool ret = false;
431 struct gc_arena gc = gc_new();
432 /* The crypto API requires one extra cipher block of buffer head room when
433 * decrypting, which nicely matches the tag size of WKc. So
434 * TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */
435 uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
436 struct buffer plaintext = { 0 };
437
438 dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
441
443 {
444 CRYPT_ERROR("wrapped client key too big");
445 }
446
447 /* Decrypt client key and metadata */
448 uint16_t net_len = 0;
450
451 if (BLEN(&wrapped_client_key) < sizeof(net_len))
452 {
453 CRYPT_ERROR("failed to read length");
454 }
455 memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len));
456
457 if (ntohs(net_len) != BLEN(&wrapped_client_key))
458 {
459 dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__, ntohs(net_len),
461 CRYPT_ERROR("invalid length");
462 }
463
464 buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len));
465
467 {
468 CRYPT_ERROR("failed to read tag");
469 }
470
471 if (!cipher_ctx_reset(server_key->cipher, tag))
472 {
473 CRYPT_ERROR("failed to initialize IV");
474 }
476 int outlen = 0;
479 {
480 CRYPT_ERROR("could not decrypt client key");
481 }
483
485 {
486 CRYPT_ERROR("cipher final failed");
487 }
489
490 /* Check authentication */
493 hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
496
498 {
499 dmsg(D_CRYPTO_DEBUG, "tag : %s", format_hex(tag, sizeof(tag_check), 0, &gc));
500 dmsg(D_CRYPTO_DEBUG, "tag_check: %s", format_hex(tag_check, sizeof(tag_check), 0, &gc));
501 CRYPT_ERROR("client key authentication error");
502 msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
503 "a different tls-crypt-v2 server key)");
504 }
505
506 if (buf_len(&plaintext) < sizeof(client_key->keys))
507 {
508 CRYPT_ERROR("failed to read client key");
509 }
510 memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
511 ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
512 client_key->n = 2;
513
514 if (!buf_copy(metadata, &plaintext))
515 {
516 CRYPT_ERROR("metadata too large for supplied buffer");
517 }
518
519 ret = true;
521 if (!ret)
522 {
523 secure_memzero(client_key, sizeof(*client_key));
524 }
526 gc_free(&gc);
527 return ret;
528}
529
530static bool
531tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
532{
533 bool ret = false;
534 struct gc_arena gc = gc_new();
535 const char *tmp_file = NULL;
536 struct buffer metadata = ctx->tls_crypt_v2_metadata;
537 int metadata_type = buf_read_u8(&metadata);
538 if (metadata_type < 0)
539 {
540 msg(M_WARN, "ERROR: no metadata type");
541 goto cleanup;
542 }
543
544 tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_", &gc);
545 if (!tmp_file || !buffer_write_file(tmp_file, &metadata))
546 {
547 msg(M_WARN, "ERROR: could not write metadata to file");
548 goto cleanup;
549 }
550
551 char metadata_type_str[4] = { 0 }; /* Max value: 255 */
553 struct env_set *es = env_set_create(NULL);
554 setenv_str(es, "script_type", "tls-crypt-v2-verify");
555 setenv_str(es, "metadata_type", metadata_type_str);
556 setenv_str(es, "metadata_file", tmp_file);
557
558 struct argv argv = argv_new();
560 argv_msg_prefix(D_TLS_DEBUG, &argv, "Executing tls-crypt-v2-verify");
561
562 ret = openvpn_run_script(&argv, es, 0, "--tls-crypt-v2-verify");
563
564 argv_free(&argv);
566
567 if (!platform_unlink(tmp_file))
568 {
569 msg(M_WARN, "WARNING: failed to remove temp file '%s", tmp_file);
570 }
571
572 if (ret)
573 {
574 msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT OK");
575 }
576 else
577 {
578 msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT ERROR");
579 }
580
581cleanup:
582 gc_free(&gc);
583 return ret;
584}
585
586bool
588 const struct tls_options *opt, bool initial_packet)
589{
591 {
592 msg(D_TLS_ERRORS, "Client wants tls-crypt-v2, but no server key present.");
593 return false;
594 }
595
596 msg(D_HANDSHAKE, "Control Channel: using tls-crypt-v2 key");
597
598 struct buffer wrapped_client_key = *buf;
599 uint16_t net_len = 0;
600
601 if (BLEN(&wrapped_client_key) < sizeof(net_len))
602 {
603 msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
604 return false;
605 }
606 memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), sizeof(net_len));
607
608 uint16_t wkc_len = ntohs(net_len);
610 {
611 msg(D_TLS_ERRORS, "Can not locate tls-crypt-v2 client key");
612 return false;
613 }
614
615 if (!initial_packet)
616 {
617 /* This might be a harmless resend of the packet but it is better to
618 * just ignore the WKC part than trying to setup tls-crypt keys again.
619 *
620 * A CONTROL_WKC_V1 packets has a normal packet part and an appended
621 * wrapped control key. These are authenticated individually. We already
622 * set up tls-crypt with the wrapped key, so we are ignoring this part
623 * of the message but we return the normal packet part as the normal
624 * part of the message might have been corrupted earlier and discarded
625 * and this is resend. So return the normal part of the packet,
626 * basically transforming the CONTROL_WKC_V1 into a normal CONTROL_V1
627 * packet*/
628 msg(D_TLS_ERRORS, "control channel security already setup ignoring "
629 "wrapped key part of packet.");
630
631 /* Remove client key from buffer so tls-crypt code can unwrap message */
633 return true;
634 }
635
639 {
640 msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key");
642 return false;
643 }
644
645 /* Load the decrypted key */
646 ctx->mode = TLS_WRAP_CRYPT;
647 ctx->cleanup_key_ctx = true;
649 memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi));
651
652 /* Remove client key from buffer so tls-crypt code can unwrap message */
654
655 if (opt && opt->tls_crypt_v2_verify_script)
656 {
657 return tls_crypt_v2_verify_metadata(ctx, opt);
658 }
659
660 return true;
661}
662
663void
668
669void
670tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata,
671 const char *server_key_file, bool server_key_inline)
672{
673 struct gc_arena gc = gc_new();
674 struct key_ctx server_key = { 0 };
675 struct buffer client_key_pem = { 0 };
677 struct key2 client_key = { .n = 2 };
678
679 if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
680 {
681 msg(M_FATAL, "ERROR: could not generate random key");
682 goto cleanup;
683 }
684 ASSERT(buf_write(&dst, client_key.keys, sizeof(client_key.keys)));
685
686 struct buffer metadata;
687 if (b64_metadata)
688 {
692 int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata), BCAP(&metadata));
693 if (decoded_len < 0)
694 {
695 msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
696 goto cleanup;
697 }
699 {
700 msg(M_FATAL, "ERROR: metadata too long (%d bytes, max %u bytes)", decoded_len,
702 goto cleanup;
703 }
704 ASSERT(buf_inc_len(&metadata, decoded_len));
705 }
706 else
707 {
708 metadata = alloc_buf_gc(1 + sizeof(int64_t), &gc);
709 int64_t timestamp = htonll((uint64_t)now);
711 ASSERT(buf_write(&metadata, &timestamp, sizeof(timestamp)));
712 }
713
715 if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key, &gc))
716 {
717 msg(M_FATAL, "ERROR: could not wrap generated client key");
718 goto cleanup;
719 }
720
721 /* PEM-encode Kc || WKc */
723 {
724 msg(M_FATAL, "ERROR: could not PEM-encode client key");
725 goto cleanup;
726 }
727
728 const char *client_file = filename;
729 bool client_inline = false;
730
731 if (!filename || streq(filename, ""))
732 {
734 client_file = (const char *)BPTR(&client_key_pem);
735 client_inline = true;
736 }
737 else if (!buffer_write_file(filename, &client_key_pem))
738 {
739 msg(M_FATAL, "ERROR: could not write client key file");
740 goto cleanup;
741 }
742
743 /* Sanity check: load client key (as "client") */
746 struct key2 keydata;
747 msg(D_GENKEY, "Testing client-side key loading...");
748 tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key, client_file,
749 client_inline);
751
752 /* Sanity check: unwrap and load client key (as "server") */
754 struct key2 test_client_key2 = { 0 };
755 free_key_ctx(&server_key);
756 tls_crypt_v2_init_server_key(&server_key, false, server_key_file, server_key_inline);
757 msg(D_GENKEY, "Testing server-side key loading...");
758 ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
759 test_wrapped_client_key, &server_key));
760 secure_memzero(&test_client_key2, sizeof(test_client_key2));
761 free_buf(&test_wrapped_client_key);
762
763cleanup:
764 secure_memzero(&client_key, sizeof(client_key));
765 free_key_ctx(&server_key);
766 buf_clear(&client_key_pem);
767 buf_clear(&dst);
768
769 gc_free(&gc);
770}
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
void argv_msg_prefix(const msglvl_t msglevel, const struct argv *a, const char *prefix)
Similar to argv_msg() but prefixes the messages being written with a given string.
Definition argv.c:259
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
#define OPENVPN_BASE64_DECODED_LENGTH(base64_length)
Compute the maximal number of bytes encoded in a base64 string.
Definition base64.h:41
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buf_clear(struct buffer *buf)
Definition buffer.c:163
bool buffer_write_file(const char *filename, const struct buffer *buf)
Write buffer contents to file.
Definition buffer.c:301
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
#define BEND(buf)
Definition buffer.h:124
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition buffer.h:503
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
#define BPTR(buf)
Definition buffer.h:123
static bool buf_inc_len(struct buffer *buf, int inc)
Definition buffer.h:588
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:762
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
static int buf_forward_capacity(const struct buffer *buf)
Definition buffer.h:539
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
Definition buffer.h:633
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:774
#define BLEN(buf)
Definition buffer.h:126
#define BCAP(buf)
Definition buffer.h:129
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define key2
Definition cert_data.h:80
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1099
void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix)
Definition crypto.c:995
bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, bool key_inline)
Read key material from a PEM encoded files into the key structure.
Definition crypto.c:1867
void write_pem_key_file(const char *filename, const char *pem_name)
Generate a server key with enough randomness to fill a key struct and write to file.
Definition crypto.c:1812
void key_parameters_from_key(struct key_parameters *key_params, const struct key *key)
Converts a struct key representation into a struct key_parameters representation.
Definition crypto.c:1188
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1061
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1673
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition crypto.c:1289
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, uint16_t epoch, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition crypto.c:374
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1080
Data Channel Cryptography Module.
#define KEY_DIRECTION_NORMAL
Definition crypto.h:232
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
#define CRYPT_ERROR(format)
Definition crypto.h:395
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:348
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
#define KEY_DIRECTION_INVERSE
Definition crypto.h:233
static struct key_type create_kt(const char *cipher, const char *md, const char *optname)
Creates and validates an instance of struct key_type with the provided algs.
Definition crypto.h:672
int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
Updates the given cipher context, encrypting data in the source buffer, and placing any complete bloc...
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
void hmac_ctx_reset(hmac_ctx_t *ctx)
int cipher_ctx_block_size(const cipher_ctx_t *ctx)
Returns the block size of the cipher, in bytes.
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
int hmac_ctx_size(hmac_ctx_t *ctx)
#define MAX_CIPHER_KEY_LENGTH
void crypto_clear_error(void)
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define MAX_HMAC_KEY_LENGTH
int cipher_ctx_reset(cipher_ctx_t *ctx, const uint8_t *iv_buf)
Resets the given cipher context, setting the IV to the specified value.
int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len)
Pads the final cipher block using PKCS padding, and output to the destination buffer.
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
void env_set_destroy(struct env_set *es)
Definition env_set.c:166
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
#define D_CRYPTO_DEBUG
Definition errlevel.h:147
#define D_PACKET_CONTENT
Definition errlevel.h:167
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
#define D_CRYPT_ERRORS
Definition errlevel.h:57
#define D_HANDSHAKE
Definition errlevel.h:71
#define D_GENKEY
Definition errlevel.h:78
#define D_TLS_ERRORS
Definition errlevel.h:58
#define D_TLS_DEBUG
Definition errlevel.h:164
#define TLS_CRYPT_V2_MAX_WKC_LEN
Definition tls_crypt.h:96
#define TLS_CRYPT_BLOCK_SIZE
Definition tls_crypt.h:90
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt, bool initial_packet)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition tls_crypt.c:587
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with --tls-crypt.
Definition tls_crypt.c:60
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:88
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition tls_crypt.c:343
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition tls_crypt.c:670
#define TLS_CRYPT_OFF_PID
Definition tls_crypt.h:92
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition tls_crypt.c:214
#define TLS_CRYPT_OFF_TAG
Definition tls_crypt.h:93
#define TLS_CRYPT_OFF_CT
Definition tls_crypt.h:94
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:95
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition tls_crypt.c:664
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
#define TLS_CRYPT_V2_CLIENT_KEY_LEN
Definition tls_crypt.h:97
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition tls_crypt.c:320
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition tls_crypt.c:136
#define TLS_CRYPT_V2_MAX_METADATA_LEN
Definition tls_crypt.h:100
#define TLS_CRYPT_V2_TAG_SIZE
Definition tls_crypt.h:99
#define htonll(x)
Definition integer.h:29
#define BUF_SIZE(f)
Definition mtu.h:178
#define M_FATAL
Definition error.h:90
#define dmsg(flags,...)
Definition error.h:172
#define msg(flags,...)
Definition error.h:152
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define streq(x, y)
Definition options.h:727
time_t now
Definition otime.c:33
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:319
bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend)
Write a packet ID to buf, and update the packet ID state.
Definition packet_id.c:382
static bool packet_id_initialized(const struct packet_id *pid)
Is this struct packet_id initialized?
Definition packet_id.h:271
static int packet_id_size(bool long_form)
Definition packet_id.h:322
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
bool platform_unlink(const char *filename)
Definition platform.c:491
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
int openvpn_base64_decode(const char *str, void *data, int size)
Definition base64.c:160
Control Channel SSL/Data channel negotiation module.
#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:61
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
int offset
Offset in bytes of the actual content within the allocated memory.
Definition buffer.h:63
Security parameter state for processing data channel packets.
Definition crypto.h:293
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:241
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:202
cipher_ctx_t * cipher
Generic cipher context.
Definition crypto.h:203
hmac_ctx_t * hmac
Generic HMAC context.
Definition crypto.h:204
Key ordering of the key2.keys array.
Definition crypto.h:259
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:163
const char * cipher
const name of the cipher
Definition crypto.h:142
const char * digest
Message digest static parameters.
Definition crypto.h:143
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:191
struct packet_id_send send
Definition packet_id.h:200
const char * tmp_dir
Definition ssl_common.h:396
const char * tls_crypt_v2_verify_script
Definition ssl_common.h:385
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition ssl_common.h:276
struct buffer tls_crypt_v2_metadata
Received from client.
Definition ssl_common.h:288
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition ssl_common.h:289
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:131
static const char * test_client_key
static const uint8_t TLS_CRYPT_METADATA_TYPE_USER
Metadata contains user-specified data.
Definition tls_crypt.c:43
const char * tls_crypt_v2_srv_pem_name
Definition tls_crypt.c:40
static bool tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Definition tls_crypt.c:531
static void tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
Definition tls_crypt.c:308
const char * tls_crypt_v2_cli_pem_name
Definition tls_crypt.c:39
static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP
Metadata contains a 64-bit unix timestamp in network byte order.
Definition tls_crypt.c:45
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
Definition tls_crypt.c:426
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
Definition tls_crypt.c:369
static void xor_key2(struct key2 *key, const struct key2 *other)
Will produce key = key XOR other.
Definition tls_crypt.c:77
static struct key_type tls_crypt_kt(void)
Definition tls_crypt.c:48